Step by Step to Enable Windows LAPS with Azure AD

According to Microsoft documentation, Windows LAPS (Windows Local Administrator Password Solution) is “a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices”.

The legacy solution, Microsoft LAPS is still available, but the Windows LAPS has several advantages such as the ability to back up passwords to Azure AD, encrypt passwords in Windows Server Active Directory, and store password history.

LAPS is now natively integrated into Windows 11, Windows 10, and Windows Server.

If Windows LAPS is not available in you Windows version, you can install it manually or via Intune (Step III).

New features with Windows LAPS

Windows LAPS brings new features for on-premises AD and Azure AD scenarios.

The native version of Windows LAPS adds support for password encryption, password history, and automatic password rotation. Windows LAPS also adds Directory Services Restore Mode (DSRM) backups to improve the security of domain controllers.

Windows LAPS supports rich policy management via both Group Policy and Configuration Service Provider (CSP), and a new PowerShell module also gives IT pros better password management capabilities. Additionally, Windows LAPS adds support for hybrid-joined devices.

Enable LAPS in Azure AD

Step I

In Azure AD portal, choose “Devices”, then “Device settings”, and enable Azure AD local Administrator Password Solution.

Step II

Create an Intune Profile for Windows LAPS.

In Intune portal, select “Endpoint Security”, then “Account protection” and click on “Create policy”.

Step III : Install Windows LAPS via Intune

Info: Windows Local Administrator Password Solution (LAPS) is now natively integrated into Windows 11, Windows 10, and Windows Server. This step is to install Windows LAPS via Intune.

Then:

• Add an app in Intune to install LAPS

Before creating an app in Intune, we have to create an Azure AD group. This group will be our scope to install LAPS msi via Intune.

• Create azure AD group
• Add your PC to this group
• Add new app in Intune and apply to Azure ad group as a scope

Step IV: Force synchronization

Force synchronization between Azure AD and the PC or the server.

After synchronization, the LAPS application should be installed, and the Intune profile applied.

Step V: View Admin password

In Intune, select a device and click on overview:

Step VI: Rotate admin password

Key points about Windows LAPS

The benefit of changing the password cannot be underestimated especially for SysOps administrators. SysOps administrators need to access systems with administrator’s privileges, and they must share passwords and rotate them periodically. With Windows LAPS we can rotate password and share them securely with a specific group of administrators.

Windows LAPS only supports Windows Version (10/11/2019). There is an open-source Linux and macOS implementation of Windows LAPS but it will better to integrate and support this feature by Microsoft.

Do you need help with your projects? Contact us!